Another ransomware operation known as ‘BlackKingdom’ is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutchins, aka MalwareTechBlog, tweeted that a threat actor was compromising Microsoft Exchange servers via the ProxyLogon vulnerabilities to deploy ansomware. Based on the logs from his honeypots, Hutchins states that the threat actor used the vulnerability to execute a PowerShell script that downloads the ransomware executable from ‘yuuuuu44[.]com’ and then pushes it out to other computers on the network. Honeypots are devices with known vulnerabilities exposed on the Internet to lure attackers and monitor their activities. Hutchins’ honeypots, though, did not appear to become encrypted, and the attack he witnessed was believed to be a failed campaign.
